René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Reference leaks in `_hashlib.hmac_new` and `_hashlib.hmac_digest`","articleBody":"# Bug report\n\n### Bug description:\n\nThe following leaks:\n\n```py\ndef test_leak1(self):\n    import _hashlib\n    self.assertRaises(TypeError, _hashlib.hmac_new, b\"key\", 1, \"sha256\")\n```\n\nThe issue is in `_hashlib_hmac_new_impl`:\n\n```c\n    self = PyObject_New(HMACobject, type);\n    ...\n    if ((msg_obj != NULL) \u0026\u0026 (msg_obj != Py_None)) {\n        if (!_hmac_update(self, msg_obj))\n            goto error;\n    }\n    return (PyObject*)self;\n\nerror:\n    if (ctx) HMAC_CTX_free(ctx);\n    if (self) PyObject_Free(self);\n    return NULL;\n```\n\nMore precisely, the issue is that we are only calling `PyObject_Free(self)` and we are not decrefing the type. So we need to call `Py_XDECREF(self);` instead and free `ctx` separately if `self` has not already been allocated. Note that the HMAC context is still cleared so we should not leak anything sensitive.\n\nThere is also a missing `HMAC_CTX_free` call in `_hmac_digest`, if the copy of the HMAC context fails. Again, there shouldn't be a security issue as the temporary context should still not be initialized on failure (and the secret key is not stored within, hopefully).\n\n### CPython versions tested on:\n\nCPython main branch\n\n### Operating systems tested on:\n\n_No response_\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-130152\n* gh-130491\n* gh-130539\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/picnixz","@type":"Person","name":"picnixz"},"datePublished":"2025-02-15T11:22:22.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/130151/cpython/issues/130151"}